For a comprehensive discussion of security and detailed information about security
administration activities, see the SAS Intelligence Platform: Security Administration
Guide and the SAS Guide to Metadata-Bound Libraries, which are available at http://
Authorization and Permissions Overview
Authorization is the process of determining which users have which permissions for
which resources. The SAS Intelligence Platform includes an authorization mechanism
that consists of access controls that you define and store in a metadata repository. These
metadata-based controls supplement protections from the host environment and other
systems. You can use the metadata authorization layer to manage access to the following
• almost any metadata object (for example, reports, data definitions, information maps,
jobs, stored processes, and server definitions)
• OLAP data
• relational data (depending on the method by which the data is accessed)
You can set permissions at several levels of granularity:
• Repository-level controls provide default access controls for objects that have no
other access controls defined.
• Resource-level controls manage access to a specific item such as a report, an
information map, a stored process, a table, a column, a cube, or a folder. The controls
can be defined individually (as explicit settings) or in patterns (by using access
• Fine-grained controls affect access to subsets of data within a resource. You can use
these controls to specify who can access particular rows within a table or members
within a cube dimension.
You can assign permissions to individual users or to user groups. Each SAS user has an
identity hierarchy that starts with the user's individual SAS identity and can include
multiple levels of nested group memberships.
The effect of a particular permission setting is influenced by any related settings that
have higher precedence. For example, if a report inherits a grant from its parent folder
but also has an explicit denial, the explicit setting determines the outcome.
The available metadata-based permissions are summarized in the following table.
Table 7.1 Metadata-Based Permissions
Use to control user interactions with a
54 Chapter 7 • Security Overview